One checklist per service we run, mapped to the standard that actually governs it. Tick items off as you go — your progress is shown per checklist and does not leave your browser.
Standards verified against the official sources on 14 July 2026.
Why the version numbers matter. The OWASP Top 10 was re-issued as the 2025 edition and it replaces the 2021 list most checklists still quote. Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10) are new, Security Misconfiguration jumped to A02, and SSRF was absorbed into A01. If a provider is still scoping you against "OWASP Top 10 2021", that is a question worth asking them.
The Top 10 was re-issued in 2025 and replaces the 2021 edition. Two categories are brand new (A03, A10) and SSRF has been absorbed into A01 — if a checklist you are using still lists SSRF separately, it is out of date.
Still the current edition as of July 2026 — there is no 2025/2026 API list. Six of the ten involve technically valid requests from a real, authenticated user, which is exactly why scanners miss them.
MASVS v2 is category-based — the old L1/L2 verification levels are gone; risk tiering now lives in the MASTG as testing profiles (MAS-L1, MAS-L2, MAS-R). MASVS is the requirement, MASTG is the test.
The 2025 edition added System Prompt Leakage and Vector & Embedding Weaknesses, and rewrote Excessive Agency for real agent products. Treat it as a coverage map, not a tick-box list: prompt injection has no known complete fix, so the control has to be architectural.